Bug 40195 - UCS400: Removing ACLs on shared folder objects does not remove ACLs in IMAP
UCS400: Removing ACLs on shared folder objects does not remove ACLs in IMAP
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail - Dovecot
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.0-4-errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
:
Depends on: 40194
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-08 15:15 CET by Sönke Schwardt-Krummrich
Modified: 2016-01-20 13:44 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-12-08 15:15:59 CET
This has to be backported for UCS 4.0.

+++ This bug was initially created as a clone of Bug #40194 +++

When removing an ACL at a shared folder object, the ACL will not be removed from IMAP folder. The last configured permission for that user/group is kept.
Comment 1 Daniel Tröder univentionstaff 2015-12-15 15:24:35 CET
IMAP ACLs were only removed on "public" shared folders. The same code for diff'ing old and new ACLs is now also used for "private" shared folders.

Code: 66356
YAML: 66360
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2016-01-20 12:08:51 CET
OK: code change
OK: functional test
OK: YAML (reworded description → r66895)

Check old package version:

# eval "$(ucr shell)"
# udm mail/folder create --position "cn=mail,$ldap_base" --set name=FolderPriv1 --set mailDomain=nstx.local --set mailHomeServer=master90.nstx.local
Object created: cn=FolderPriv1@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -A FolderPriv1@nstx.local/INBOX
Username ID Global Rights
# udm mail/folder modify --dn cn=FolderPriv1@nstx.local,cn=mail,$ldap_base --append sharedFolderUserACL="mail2@nstx.local read"
Object modified: cn=FolderPriv1@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local FolderPriv1@nstx.local/INBOX
ID                    Global Rights
user=mail2@nstx.local        lookup read write write-seen
# udm mail/folder modify --dn cn=FolderPriv1@nstx.local,cn=mail,$ldap_base --remove sharedFolderUserACL="mail2@nstx.local read"
Object modified: cn=FolderPriv1@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local FolderPriv1@nstx.local/INBOX
ID         Global Rights
# udm mail/folder modify --dn cn=FolderPriv1@nstx.local,cn=mail,$ldap_base --append sharedFolderGroupACL="grp3 append"
Object modified: cn=FolderPriv1@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local FolderPriv1@nstx.local/INBOX
ID         Global Rights
group=grp3        insert lookup post read write write-seen
# udm mail/folder modify --dn cn=FolderPriv1@nstx.local,cn=mail,$ldap_base --remove sharedFolderGroupACL="grp3 append"
Object modified: cn=FolderPriv1@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local FolderPriv1@nstx.local/INBOX
ID         Global Rights

# eval "$(ucr shell)"
# udm mail/folder create --position "cn=mail,$ldap_base" --set name=FolderPub2 --set mailPrimaryAddress=pub2@nstx.local --set mailDomain=nstx.local --set mailHomeServer=master90.nstx.local
Object created: cn=FolderPub2@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub2@nstx.local
ID Global Rights
# udm mail/folder modify --dn cn=FolderPub2@nstx.local,cn=mail,$ldap_base --append sharedFolderUserACL="mail3@nstx.local append" --append sharedFolderGroupACL="grp4 read"
Object modified: cn=FolderPub2@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub2@nstx.local
ID                    Global Rights
group=grp4                   lookup read write write-seen
user=mail3@nstx.local        insert lookup post read write write-seen
# udm mail/folder modify --dn cn=FolderPub2@nstx.local,cn=mail,$ldap_base --remove sharedFolderUserACL="mail3@nstx.local append"
Object modified: cn=FolderPub2@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub2@nstx.local
ID                    Global Rights
group=grp4                   lookup read write write-seen
user=mail3@nstx.local        insert lookup post read write write-seen                 ←←←←←←←←←← FAIL IN OLD VERSION
# udm mail/folder modify --dn cn=FolderPub2@nstx.local,cn=mail,$ldap_base --remove sharedFolderGroupACL="grp4 read"
Object modified: cn=FolderPub2@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub2@nstx.local
ID                    Global Rights
group=grp4                   lookup read write write-seen                             ←←←←←←←←←← FAIL IN OLD VERSION
user=mail3@nstx.local        insert lookup post read write write-seen                 ←←←←←←←←←← FAIL IN OLD VERSION
#

Check new package version:

# udm mail/folder create --position "cn=mail,$ldap_base" --set name=FolderPub3 --set mailPrimaryAddress=pub3@nstx.local --set mailDomain=nstx.local --set mailHomeServer=master90.nstx.local
Object created: cn=FolderPub3@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub3@nstx.local
ID Global Rights
# udm mail/folder modify --dn cn=FolderPub3@nstx.local,cn=mail,$ldap_base --append sharedFolderUserACL="mail3@nstx.local append" --append sharedFolderGroupACL="grp4 read"
Object modified: cn=FolderPub3@nstx.local,cn=mail,dc=nstx,dc=loca
# doveadm acl get -u mail1@nstx.local shared/pub3@nstx.local
ID                    Global Rights
group=grp4                   lookup read write write-seen
user=mail3@nstx.local        insert lookup post read write write-seen
# udm mail/folder modify --dn cn=FolderPub3@nstx.local,cn=mail,$ldap_base --remove sharedFolderUserACL="mail3@nstx.local append"
Object modified: cn=FolderPub3@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub3@nstx.local
ID         Global Rights
group=grp4        lookup read write write-seen
# udm mail/folder modify --dn cn=FolderPub3@nstx.local,cn=mail,$ldap_base --remove sharedFolderGroupACL="grp4 read"
Object modified: cn=FolderPub3@nstx.local,cn=mail,dc=nstx,dc=local
# doveadm acl get -u mail1@nstx.local shared/pub3@nstx.local
ID Global Rights
#
Comment 3 Janek Walkenhorst univentionstaff 2016-01-20 13:44:35 CET
<http://errata.software-univention.de/ucs/4.0/388.html>